[38857] in bugtraq
Re: Linux kernel ELF core dump privilege elevation
daemon@ATHENA.MIT.EDU (codeQ)
Fri May 13 17:05:14 2005
From: codeQ <newsclient@teamq.info>
To: Bruno Lustosa <bruno.lists@gmail.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <b9e0c3fe050511123454aa2ada@mail.gmail.com>
Content-Type: multipart/mixed; boundary="=-vbRbpG9aVNmGza5EHEl0"
Date: Thu, 12 May 2005 19:52:53 +0200
Message-Id: <1115920373.6287.8.camel@localhost.localdomain>
Mime-Version: 1.0
--=-vbRbpG9aVNmGza5EHEl0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
I wasn't able to make it work either, getting exactly the same output
(without GCC's warnings). I'm on a Debian 2.6.11-7 kernel. I just tested
but really didn't even look what it failed, not even gdb'ed the core.
If someone notices what's wrong on the POC please, let me know.
Thanks,
Pablo Fernandez
--=-vbRbpG9aVNmGza5EHEl0
Content-Disposition: inline
Content-Description: Mensaje reenviado - Re: Linux kernel ELF core dump
privilege elevation
Content-Type: message/rfc822
Return-path: <bugtraq-return-19649-newsclient=teamq.info@securityfocus.com>
Envelope-to: newsclient@teamq.info
Delivery-date: Wed, 11 May 2005 19:24:47 -0400
Received: from codeq by smoke.securenet-server.net with local-bsmtp (Exim
4.50) id 1DW0ZK-0001Fn-Gy for newsclient@teamq.info; Wed, 11 May 2005
19:24:47 -0400
Received: from [205.206.231.26] (helo=outgoing.securityfocus.com) by
smoke.securenet-server.net with esmtp (Exim 4.50) id 1DW0ZK-0001Fd-3X for
newsclient@teamq.info; Wed, 11 May 2005 19:24:46 -0400
Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via
smtpd (for smoke.securenet-server.net [63.247.85.146]) with ESMTP; Wed, 11
May 2005 16:24:54 -0700
Received: from lists2.securityfocus.com (lists2.securityfocus.com
[205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id
5BF761470AD; Wed, 11 May 2005 15:47:18 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26574 invoked from network); 11 May 2005 12:03:46 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
b=PniZvZ8k2IiY//WW06LhDcBVqGStVXtMnaYjbPFsLZJQEII7qeVbOlBe4pzPxuOc0ZdIMrqYxpUUxI205Gl5FavcaAnayuQy5852K01/7XTgYCoZ63oFE4ihDX5n0WHHsNypLdy+XZpUnBSP1gxPnsT+GoJ376KlgXQbdwquxkY=
Message-ID: <b9e0c3fe050511123454aa2ada@mail.gmail.com>
Date: Wed, 11 May 2005 16:34:58 -0300
From: Bruno Lustosa <bruno.lists@gmail.com>
Reply-To: Bruno Lustosa <bruno.lists@gmail.com>
To: bugtraq@securityfocus.com
Subject: Re: Linux kernel ELF core dump privilege elevation
In-Reply-To: <Pine.LNX.4.44.0505101615410.1618-100000@isec.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
References: <Pine.LNX.4.44.0505101615410.1618-100000@isec.pl>
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
smoke.securenet-server.net
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.3
Content-Transfer-Encoding: 7bit
On 5/11/05, Paul Starzetz <ihaquer@isec.pl> wrote:
> since it became clear from the discussion in January about the uselib()
> vulnerability, that the Linux community prefers full, non-embargoed
> disclosure of kernel bugs, I release full details right now. However to
> follows at least some of the responsable disclosure rules, no exploit code will be
> released. Instead, only a proof-of-concept code is released to demonstrate
> the vulnerability.
Paul, I was unable to make it work on my amd64.
Running Gentoo on kernel 2.6.11.
This was the output:
[+] Compiling...elfcd1.c: In function `main':
elfcd1.c:48: warning: implicit declaration of function `strlen'
elfcd1.c:54: warning: implicit declaration of function `memset'
elfcd1.c:60: warning: implicit declaration of function `strcmp'
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld:
warning: i386:x86-64 architecture of input file `/tmp/ccSCdKeo.o' is
incompatible with i386 output
[+] ./elfcd1 argv_start=0x7ffffffff451 argv_end=0x7ffffffff459 ESP: 0xfffff0e0
[+] phase 1
[+] AAAA argv_start=0x7fffffff6fea argv_end=0x7fffffff6fee ESP: 0xffff6de0
[+] phase 2, <RET> to crash Segmentation fault (core dumped)
--
Bruno Lustosa, aka Lofofora | Email: bruno@lustosa.net
Network Administrator/Web Programmer | ICQ: 1406477
Rio de Janeiro - Brazil |
--=-vbRbpG9aVNmGza5EHEl0--
